How Would Microsoft’s User Agreement Work with CISA?

When Jim Comey talks about wanting back doors into Apple products, he often claims that some software providers have managed to put back doors into allegedly secure products.

I keep thinking of that claim when I hear about the many privacy problems with Microsoft 10 — including the most recent report that it will send data to Microsoft even if you’ve disabled some of the spy features on the operating system. Is this the kind of thing Comey had in mind?

I’m even more intrigued given the report that Microsoft changed its Services Users Agreement to permit it to scan your machine looking for counterfeits.

Sometimes you’ll need software updates to keep using the Services. We may automatically check your version of the software and download software updates or configuration changes, including those that prevent you from accessing the Services, playing counterfeit games, or using unauthorized hardware peripheral devices. You may also be required to update the software to continue using the Services.

Add that to this part of the Users Agreement, which permits Microsoft to retain, transmit, and reformat your content, in part “to protect you and the Services.”

To the extent necessary to provide the Services to you and others, to protect you and the Services, and to improve Microsoft products and services, you grant to Microsoft a worldwide and royalty-free intellectual property license to use Your Content, for example, to make copies of, retain, transmit, reformat, display, and distribute via communication tools Your Content on the Services.

The two together seem to broadly protect not just Microsoft sharing data with the government under CISA, but also deploying countermeasures, as permitted under the Cyber Intelligence Sharing Act.

(1) IN GENERAL.—Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, operate a defensive measure that is applied to—

(A) an information system of such private entity in order to protect the rights or property of the private entity;

(B) an information system of another entity upon written consent of such entity for operation of such defensive measure to protect the rights or property of such entity; and

This Service Agreement would seem to imply consent for automatic updates including those that disable what gets called a cybercrime under the bill (that is, counterfeit software) and a general consent to let Microsoft do what it needs to to “protect you and the Services.”

To be fair, the counterfeit clause is just one adopted from Xbox so it may not reflect anything new at all.

But given the presumption that some form of CISA will pass after Congress returns next month, I wonder how these clauses with work under CISA.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

7 replies
  1. P J Evans says:

    I think MS has checked for counterfeit software for quite a long time (with some reason, actually). They shouldn’t have the ability to do any more than that, though, and it’s definitely not their business – or that of the government – what other software I have.

  2. orionATL says:

    microsoft sold me their last piece of software several years ago when i learned they insisted on the right to check my computer for pirated software. what is on my computer is none of their business. they can keep their f’kin’ poorly constructed, buggy, malware-friendly software. no doubt businesses will keep using it, but individuals ? why?

  3. Curious says:

    I am no lawyer so take what I write with a grain of salt so to speak.

    An aspect of Win 10 EULA that I dislike (from what I have read about it so far), is what I like to think of as the user seemingly legally agreeing to giving away privileges to Microsoft, of the type that is:

    • nondescript powers, that apparently suffice to being mere excuses (goal oriented points), than explanations (verifiable and justifiable facts)

    • Curious says:

      I also think of the Windows 10 EULA as being what is called a “lopsided” agreement, being something that seems to be generally unfair and disproportionate.

      • orionATL says:

        and that is precisely how i too feel – it is a completely lopsided agreement, as with so many corporate agreements these days, e.g., our credit card company “privacy” agreements, aka, take-it-or-leave-its.

Comments are closed.